[W3af-develop] XSS tests for encoded and double-encoded input

Tue, 19 May 2009 09:50:53 -0700 

Hi guys,
I played with the w3af for the first time today.  I'm specifically
interested in the XSS scanning (crawling + fuzzing).

It seems w3af does not catch the case when the site echoes the
double-encoded Javascript.
I added the following tests in xss.py, function _get_xss_tests :

        # D.S  - url escaped injection string

 xss_tests.append(('%3CSCrIPT%3Ealert%28%22RANDOMIZE%22%29%3C/SCrIPT%3E',
[browsers.ALL, ]))

        # D.S  - double quoted injection string

 
xss_tests.append(('%2522%253E%253Cscript%253Ealert%2528/RANDOMIZE/%2529%253C/script%253E',
[browsers.ALL, ]))

then it does pick it up.

Here's the PHP file that I used to test it:

<?php
  $param = $_GET['param'];
  echo "Initial param: $param<BR>\n";
  $param_esc = urldecode($param);
  echo "Param decoded: $param_esc <BR>\n";
  // compose the URL to the current page
  $url = $_SERVER{'HTTPS'} ? 'https://' : 'http://';
  $url .= $_SERVER{'SERVER_NAME'};
  if ($_SERVER{'SERVER_PORT'}) {
    $url .= ":" . $_SERVER{'SERVER_PORT'};
  }
  $url .= $_SERVER{'PHP_SELF'};
  if ($_SERVER{'QUERY_STRING'}) {
    $url .= '?' . $_SERVER{'QUERY_STRING'};
  } else {
    $url .= '?' . 'param=a';
  }
  echo '<A href="' . $url . "\">$url</A>";
?>

and here's the related w3af output with the added tests:

Starting xss plugin execution.
Cross Site Scripting was found at: "[URL]", using HTTP method GET. The sent
data was:
"param=%252522%25253E%25253Cscript%25253Ealert%252528/9v5SFsQ4yG8Wd/%252529%25253C/script%25253E".
This vulnerability affects ALL browsers. This vulnerability was found in the
request with id 45.

One request - would it be possible to add an option in the audit config xss:
set numberOfChecks all
so that when you are modifying the source you would not have to worry about
the number of tests you run.  It would be also interesting to give each test
a short but descriptive name (like "double.enc") and allow the user to
specify exactly which tests they want to run.

Cheers, may the brute force be with you! :)

Dimitri

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to